2004:04 (Volume 2) Dependency Defence and Dependency Analysis Guidance

(1)

SKI Report 2004:04

Research

Dependency Defence and Dependency

Analysis Guidance

Volume 2: Appendix 3-8

How to analyse and protect against dependent failures. Summary report

of the Nordic Working group on Common Cause Failure Analysis

Gunnar Johanson

Per Hellström

Tuomas Makamo

Jean-Pierre Bento

Michael Knochenhauer

Kurt Pörn

October 2003

ISSN 1104–1374 ISRN SKI-R-04/04-SE

(2)

(3)

SKI PERSPEKTIV Bakgrund

SKI ställer krav på PSA-studier och PSA-verksamhet i SKIFS 1998:1. Uppföljning av denna verksamhet ingår därför i SKI:s tillsynsverksamhet. Enligt krav i SKIFS 1998:1 skall

säkerhetsanalyserna vara grundade på en systematisk inventering av sådana händelser, händelseförlopp och förhållanden vilka kan leda till en radiologisk olycka.

Forskningsrapporten Vägledning för försvar och analys av beroenden har utvecklats på uppdrag av Nordiska PSA-gruppen (NPSAG), med syftet att skapa en gemensam erfarenhetsbas för försvar och analys av beroende fel, s.k. Common Cause Failures (CCF).

SKI:s och rapportens syfte

Ordet Vägledning i rapporttiteln används för att tydliggöra en gemensam metodologisk och av NPSAG accepterad vägledning som baserar sig på den allra senaste kunskapen om analys av beroende fel och anpassade till förhållanden som anses gälla för nordiska kärnkraftverk. Detta kommer att göra det möjligt för tillståndshavarna att genomföra kostnadseffektiva förbättringar och analyser.

Resultat

Rapporten Vägledning för försvar och analys av beroenden presenterar ett gemensamt försök, mellan myndighet och tillståndshavare, att skapa en metodologi och erfarenhetsbas för försvar och analys av beronde fel.

Eventuell fortsatt verksamhet inom området

Erfarenheter från tillämpningen av rapportens vägledningar skall inväntas, eventuella större ändringar och tillägg i vägledningsdokumentet beslutas om vid senare tillfälle. Utveckling av metoder och förfining av sådana pågår dock, vartefter det ställs högre krav på nya

analysförutsättningar och -djup.

Effekt på SKI:s verksamhet

SKI Rapport 04:04 - Vägledning för försvar och analys av beroenden bedöms även vara ett bra stöd för myndigheterna i sin granskning av olika tillståndshavares verksamhetsprocesser, analysmetoder förknippade med analyser av beroende fel.

Projektinformation

SKI:s projekthandläggare: Ralph Nyman Projektnummer: 01031

(4)

SKI PERSPECTIVE Background

The Swedish Nuclear Inspectorate (SKI) Regulatory Code SKIFS 1998:1 includes requirements regarding the performce of probabilistic safety assessments (PSA), as well as PSA activities in general. Therefore, the follow-up of these activities is part of the inspection tasks of SKI.

According to SKIFS 1998:1, the safety analyses shall be based on a systematic identification and evaluation of such events, event sequences and other conditions which may lead to a radiological accident.

The research report “Dependency Defence and Dependency Analysis Guidance” has been

developed under a contract with the Nordic PSA Group (NPSAG), with the aim to create a common experience base for defence and analysis of dependent failures i.e., Common Cause Failures, CCF.

The Aim of SKI and of the Report

The word Guidance in the report title is used in order to indicate a common methodological guidance accepted by the NPSAG, based on current state of the art concerning the analysis of dependent failures and adapted to conditions relevant for the Nordic Nuclear Power Plants. This will make it possible for the utilities to perform cost effective improvements and analyses.

Results

The report “Dependency Defence and Dependency Analysis Guidance” presents a common attempt by the authorites and the utilities to create a methodology and experience base for defence and analysis of dependet failures.

Possible Continued Activities within the Area

Experiences from the application of the Guidance shall be awaited for, i.e., major changes or extensions to the document shall be decided at a later stage. However, the development of methods is an on-going process which is guided by changes in analysis assumptions or increased level of detailed of the analysis.

Effect on SKI Activities

The SKI Report 04:04 “Dependency Defence and Dependency Analysis Guidance” is judged to be useful in supporting the authority’s review of procedural and organizational processes at utilities, methodology for the analysis of dependent failures.

Project Information

Project responsible at SKI: Ralph Nyman Project number: 01031

(5)

SKI Report 2004:04

Research

Dependency Defence and Dependency

Analysis Guidance

Volume 2: Appendix 3-8

How to analyse and protect against dependent failures. Summary report

of the Nordic Working group on common Cause Failure Analysis

Gunnar Johanson

ES-konsult AB, Svetsarvägen 7, SE-171 41 Solna, Sweden Per Hellström

Relcon AB, Box 1288, SE-172 25 Sundbyberg, Sweden Tuomas Mankamo

Avaplan Oy, Itainen rantatie 17B, FIN-0223 Jean-Pierre Bento

JPB Consulting AB, Box 68, SE-611 23 Nyköping, Sweden Michael Knochenhauer

Impera-K AB, Kyrkvägen 20, SE-196 30 Kungsängen, Sweden Kurt Pörn

Pörn Consulting AB, Skivlingvägen 24, SE-611 63 Nyköping, Sweden

October 2003

SKI Project Number 01031

This report concerns a study which has been conducted for the Swedish Nuclear Power Inspectorate (SKI). The conclusions and viewpoints presented in the report are those of the author/authors and do not necessarily coincide with those of the SKI.

(6)

(7)

Outline of project reporting

Title Report No

SKI REPORT 04:04 Volume 1

Summary Summary report of the Nordic Working group on Common Cause Failure Analysis

PR21

Appendix 1 Dependency Defence Guidance PR12

Appendix 2 Dependency Analysis Guidance PR13

150 pages

SKI REPORT 04:04 Volume 2

Appendix 3 How to protect against dependent failures

Appendix 3.1 Survey of defences against dependent failures PR05 Appendix 3.2 Defence Assessment in Data PR20

Appendix 4 How to model and analyse dependent failures

Appendix 4.1 Model Survey PR04 Appendix 4.2 Impact Vector Method PR03 Appendix 4.3 Impact Vector Construction Procedure PR17 Appendix 4.4 Pilot Application (See Impact Vector Application to Diesel Generators

PR10/Appendix 5.5 )

Appendix 5 Data for dependent failures

Appendix 5.1 Data Survey and Review PR02 Appendix 5.2 Data survey and review of the ICDE-database for Swedish emergency

diesel generators

PR11 Appendix 5.3 Qualitative analysis of the ICDE database for Swedish emergency

diesel generators

PR08 Appendix 5.4 Updating the CCF Analysis of Control Rod and Drive Assemblies for the

Nordic BWRs PR09

PR09 Appendix 5.5 Impact Vector Application to Diesels PR10 Appendix 5.6 Impact Vector Application to Pumps PR18 Appendix 5.7 Impact Vector Application to MOV PR19 Appendix 5.8 A Statistical Method for Uncertainty Estimation of CCF Parameters

Uncertainties

PR15

Appendix 6 Literature survey PR06

Appendix 7 Terms and definitions PR14

Appendix 8 Nordisk Arbetsgrupp för CCF Studier, Project Programme PR01

(8)

Project Report list: SKI REPORT 04:04

No Title Appendix

PR01 Nordisk Arbetsgrupp för CCF Studier, Project Programme Appendix 8

PR02 Data Survey and Review Appendix 5.1

PR03 Impact Vector Method Appendix 4.2

PR04 Model Survey Appendix 4.1

PR05 Survey of defences against dependent failures Appendix 3.1

PR06 Literature survey Appendix 6

PR08 Qualitative analysis of the ICDE database for Swedish emergency diesel generators

Appendix 5.3

PR09 Updating the CCF Analysis of Control Rod and Drive Assemblies for the Nordic BWRs

Appendix 5.4

PR10 Impact Vector Application to Diesels Appendix 5.5

PR11 Data survey and review of the ICDE-database for Swedish emergency diesel generators

Appendix 5.2

PR12 Dependency Defence Guidance Appendix 1

PR13 Dependency Analysis Guidance Appendix 2

PR14 Terms and definitions Appendix 7

PR15 A Statistical Method for Uncertainty Estimation of CCF Parameters Uncertainties

Appendix 5.8

PR17 Impact Vector Construction Procedure Appendix 4.3

PR18 Impact Vector Application to Pumps Appendix 5.6

PR19 Impact Vector Application to MOV Appendix 5.7

PR20 Defence Assessment in Data Appendix 3.2

(9)

SKI 04:04 Appendix 3-8

Appendix Title Report No

Appendix 1 Dependency Defence Guidance PR12 PR12

Appendix 2 Dependency Analysis Guidance PR13 PR13

Appendix 3 How to protect against dependent failures

App3.1 Survey of defences against

dependent failures PR05

PR05

Appendix 3.2 Defence Assessment in Data PR20 PR20

Appendix 4 How to model and analyse dependent failures

Appendix 4.1 Model Survey PR04 PR04 Appendix 4.2 Impact Vector Method PR03 PR03 Appendix 4.3 Impact Vector Construction Procedure PR17 PR17 Appendix 4.4 Pilot Application (See Impact Vector Application to Diesel Generators

PR10/Appendix 5.5 )

Appendix 5 Data for dependent failures

Appendix 5.1 Data Survey and Review PR02 PR02 Appendix 5.2 Data survey and review of the ICDE-database for Swedish emergency

diesel generators PR11

PR11 Appendix 5.3 Qualitative analysis of the ICDE database for Swedish emergency

diesel generators PR08

PR08 Appendix 5.4 Updating the CCF Analysis of Control Rod and Drive Assemblies for the

Nordic BWRs PR09

PR09 Appendix 5.5 Impact Vector Application to Diesels PR10 PR10 Appendix 5.6 Impact Vector Application to Pumps PR18 PR18 Appendix 5.7 Impact Vector Application to MOV PR19 PR19 Appendix 5.8 A Statistical Method for Uncertainty Estimation of CCF Parameters

Uncertainties PR15

PR15

Appendix 6 Literature survey PR06 PR06

Appendix 7 Terms and definitions PR14 PR14

(10)

(11)

NAFCS

Nordisk Arbetsgrupp för CCF studier NAFCS-PR05

1

Title: Survey on Defences against Dependent Failures

Author(s): Per Hellström, RELCON AB

Issued By: Per Hellström, RELCON AB

Reviewed By: Michael Knochenhauer, Impera-K, Tuomas Mankamo, Avaplan

OY

Approved By: Gunnar Johansson

Abstract: This report presents a plant and regulatory survey on defences against dependent failures. The survey is carried out as part of the qualitative work performed within the Nordiska arbetsgruppen för CCF studier (NAFCS). The survey investigates current plant and regulatory strategies for defence against dependent failures, and especially common cause failures. Examples on defences in use are presented.

Doc.ref: Project reports

Distribution WG, Project WebSite, Project archive

Confidentiality

control: Public??

Revision control: Version Date Initial

Created A1 2001-10-24 PH For presentation at SKI CCF seminar A2 2002-03-11 PH For internal review A3 2002-03-18 PH Consideration of MK and TM comments: New title, A4 2002-09-09 PH

Final update F1 rev 0 2003-08-31 PH

List of Content

Survey on Defence against Dependent Failures ...4

1 Introduction ...4

1.1 Background...4

1.2 Objectives ...5

1.3 Scope of Dependency Defences Survey ...5

2 Survey Organisation ...6

2.1 Survey Meetings ...6

3 Survey Results ...7

3.1 Results from Regulatory Visits and Communication ...7

3.1.1 STUK...7

3.1.2 SKI:...9

3.2 Observations and Discussion of Regulatory involvement in CCF defence ...11

3.3 Plant Aspects ...12

(12)

NAFCS

3.3.2 Implementation...13

3.3.3 Maintenance and Testing...13

3.3.4 Failure Reporting...14

3.3.5 Plant Information system...14

3.3.6 Exchange of Experience ...15

3.4 Most Important Contributors and Defences...15

4 Conclusions ...16

5 References ...21

List of tables Table 1: Organisations Covered by the Survey Activity. ...6

Table 2: Opinion on Dominating Contributors to CCF. ...15

Table 3: Opinion on Important Defences Against Dependencies...15

Table 4: Dependency Defence Factors Noted during Survey Meetings ...17

Appendices

A) Questionnaire and items for discussion for Plant Survey Meetings B) Agenda for Plant Survey Visits

C) Notes from STUK Visit1 D) Notes from SKI Visit1 E) Notes from OKG Visit1 F) Notes from BKAB Visit1 G) Notes from TVO Visit1 H) Notes from Forsmark Visit1

Terms and Abbreviations

BKAB Barsebäck Kraft AB

BWR Boiling Water Reactor

Bicycle Tool for accessing TUD database with failure records

CCF Common Cause Failure

CFR Code of Federal Regulation CRDA Control Rod Drive Assembly

DKV Driftklarhetsverifiering (operational readiness control)

FKA Forsmarks Kraftgrupp AB

GDC General Design Criteria

IAEA International Atomic Energy Agency

ICDE International Common Cause Data Exchange

1

(13)

NAFCS

3

INPO International Nuclear Power Organisation KFB Konstruktionsförutsättningar för byggnader

KFE Konstruktionsförutsättningar för elektriska komponenter KFM Konstruktionsförutsättningar för mekaniska komponenter KSU AB Kärnkraftsäkerhet och utbildning AB (Nuclear Safety and

Training Center)

NAFCS Nordisk Arbetsgrupp för CCF-studier

NOG Nuclear Owners Group

NPP Nuclear Power Plant

NRC Nuclear Regulatory Commission

OKG Oskarhamns Kraftgrupp

PSA Probabilistic Safety Assessment

PSG Primär Säkerhetsgranskning (Primary Safety Review) RO Rapporterbar omständighet (LER/Licensee Event Report)

SAR Safety Analysis Report

SKI Statens Kärnkraftinspektion (Swedish Nuclear Authority) SKIFS SKI författningssamling (SKI statute books)

STF Säkerhetstekniska förutsättningar (Technical Specifications) STUK Radiation and Nuclear Safety Authority of Finland

TBE Tekniska bestämmelser för elkomponenter (Technical rules for Electrical Components)

TBM Tekniska bestämmelser för mekaniska komponenter (Technical rules for Mechanical Components)

TUD Tillförlitlighet Underhåll Drift (Department at Swedpower responsible for collecting and distribution of reliability related information

TVO Teollisuuden Voima Oy

(14)

NAFCS

Survey on Defence against Dependent Failures

1 Introduction

1.1 Background

Defence in depth is a basic safety precaution in a NPP, and it is realised by

redundancy and separation/diversity. It is important that redundant equipment have as little as possible in common in order to decrease the risk for dependent failures. It is obvious that functional dependencies, like two redundancies being dependent on the same signal or power supply, is a bad solution in cases where high reliability and safety is needed. There has to be a complete separation on functional level to avoid that a single failure interrupts a function.

Spatial dependencies may also be critical, due to the potential for so called area events like fires, flood and also the same normal environment affecting components in the same location. Separation of redundancies in different locations or at least by distance is therefore also an important defence against dependent failures.

Both functional and area dependencies can in a safety analysis be treated with explicit modelling and the defences are quite obvious. A PSA model can be used to verify that the single failure criterion is fulfilled, and also to find cases of violation in functional separation. Identification of weaknesses in spatial separation can also be checked, e g by special use of the PSA model.

Still, there are so called subtle interactions due to commonalities on a very low level of detail that can decrease the efficiency of redundancies. These kinds of

dependencies are in probabilistic safety analysis treated as so called common causes and their impact on the reliability is calculated with common cause failure analysis methods.

The basic CCF formula for a system with 2*100% redundancy is (beta factor):

(

train

)

train system P P P = −β ∗ 2+β∗ ) 1 (

Psystem Total system failure probability Ptrain Train failure probability

β CCF factor, indicating the share of independent failure probability that affects both trains.

The formula shows that there are two ways to increase the system reliability performance.

1. High reliability of individual trains, i e low Ptrain

2. Low dependency between the trains, i e low CCF contribution (low β).

Many factors contribute to a high reliability, and they may also contribute to keep the risk for common cause failures on a low level. There are in addition factors that are targeted against CCF. The survey described below concentrated on the latter factors of defence, but several factors effective to consider other dependencies in general are also included.

(15)

NAFCS

5

1.2 Objectives

The objectives for the survey as presented in the NAFCS project programme [1] were to provide a background to the NAFCS project based on the needs and experience from the plant owners and from authorities:

1. Survey of plant objectives in relation to CCF defences 2. Survey of plant operations/events in relation to CCF 3. Survey of plant modifications in relation to CCF

4. Survey of plant organisation/rules (extension compared to project programme) 5. Survey of authority requirements, guidance and activities (extension compared

to project programme)

Important elements of the survey were also to carry out a dialog with the

organisations to engage them in the issues related to the programme and to market the outcome and use of the project.

The survey should reach a wide spectrum of personnel from operation, design engineering, safety committees and risk assessment groups

The final survey result considers several CCF defence areas as can be seen in the result section.

The survey focussed on the way that the plants and authorities provide a defence against dependent failures (standards, quality assurance system, internal guidelines and work descriptions and practices in use) with special attention for common cause failure defences.

The results of the survey are to be used for further processing within the project for the following purposes:

1. Creation of a Qualitative CCF defence model

2. Discussion on potential benefit of existing defences in quantitative CCF analysis

3. Input to a defence guidance document.

1.3 Scope of Dependency Defences Survey

The scope is (implicitly) restricted to CCF type dependencies (component failure dependencies, pre-initiator error dependencies).

It became evident during the visits that it is difficult to completely separate common cause failure defences from other dependency defences, e g defences with regard to area dependencies and functional dependencies. Certain defences will be effective against several types of dependencies.

The defences that are looked at are in principal restricted to defences that decrease the probability for common cause failures.

Section 2 presents the survey activity, section 3 presents the results and section 4 the conclusions of the survey.

(16)

NAFCS

2 Survey Organisation

2.1 Survey Meetings

The organisations listed in Table 1 are included in the survey.

Table 1: Organisations Covered by the Survey Activity.

Date and duration of visit Meeting participants2 OKG 2001-09-18 (1 day, whole

group together) Frithiof Schwartz, TR, Michael Landelius, TR, John Svensson, D2Q-D, Johan Melkersson, D3D, Mats Gustafsson, D1F.

Barsebäck 2001-09-19 (1 day, whole group together)

Ingemar Ingemarsson, PSA/FoU, André Strömberg, SP (maintenance/planning), Ulf Hansson, BTS (Control room, BOKA, SAR/PSA)

SKI 2001-11-07 (2 hours, whole group together)

Ralph Nyman, Anders Hallman, Bo Liwång, Kjell Olsson

STUK 2001-11-21 (2 hours, whole group together)

Reino Virolainen, Ilkka Niemelä TVO 2001-11-30 (1 day,

separate small meetings and summary meeting)

Jari Pesonen and Risto Himanen (PSA group), Ingvald Lilja (Operation), Markku Friberg and O Luhta (Safety committee), J Tanhua

(Maintenance), Sami Jakonen (Enginering). Forsmark 2001-12-03 (4 hours,

whole group together)

Jan-Erik Stenmarck, Bjarne Grönqvist (cFTE)

Ringhals could not participate in the survey visits.

The following material was used as a basis for the discussions and was sent to the organisations before the meetings3:

1. A questionnaire (see appendix A). The questionnaire contains questions, statements and explanations in rather raw form. The discussions were structured against this questionnaire).

2. A copy of the report “Defences Against Common Cause Failures.. “ [2] 3. A PowerPoint presentation of the project

4. Site specific example CCF data reports from the ICDE database. The agenda at each meeting had the structure as presented in appendix B.

2_{Per Hellström, RELCON, was on all meetings}

3_{A separate questionnaire, developed by Mr Tuomas Mankamo in support of a Nordic PSA project on}

control rod CCF was also discussed during the meetings. The results of the control rod investigation is reported separately.

(17)

NAFCS

7

The length of the meetings varied between two hours and up to a full working day. Limits on resources allocated for the survey activity mean that the survey itself is limited. There are differences also between the number of personnel involved from each organisation, that together with the length of the meetings, make a comparison of information from each meeting difficult.

It has to be stressed that the survey not is an inspection or attempt to compare the organisations with each other. The information collected during the visits are summarised in the result section as different principles, approaches, good practices and rules that have an impact on the dependent failure defence.

The individual meeting notes are documented separately and are not published.

3 Survey Results

3.1 Results from Regulatory Visits and Communication

Both STUK and SKI are involved in the safety work as regulators meaning that requirements are stated in regulatory documents and the organisations form part of the reporting of abnormal events (Licensee Event Reports) and follow-up and analysis of these.

The regulators also have an inspection role to review that current regulatory requirements are fulfilled.

Some aspects related to CCF defence in relation to the authorities STUK and SKI are presented below: It has to be stressed that the visits and discussions with both SKI and STUK were very short, and this report therefore, can not provide the full picture of CCF defence activities.

3.1.1 STUK

A State Council Decision requires systems to be safe with good redundancy, separation and diversity.

STUK has several Regulatory guides (YVL series) indicating requirements related to CCF defence. Examples are:

YVL Title Date of current version

1.0[3] Safety criteria for design of nuclear power plants 12 Jan 1996 1.5[4] Reporting nuclear power plant operation to the

Finnish Centre for radiation and Nuclear Safety

1 Jan 1995 2.7[5] Ensuring a Nuclear Power plant´s safety functions

in provision for failures

20 May7 1996 2.8[6] Probabilistic Safety Analyses (PSA) 20 Dec 1996 It is required to have data collection and data processing systems (1.5). It is required to have statistical trend analyses (1.5).

(18)

NAFCS

One should be able to identify CCF events. Training in CCF identification is performed.

Below is an excerpt from STUK regulatory guide YVL 1.0 (Safety criteria for design of nuclear power plants, 12 Jan. 1996).

If inherent safety features cannot be made use of in ensuring a safety function, priority shall be given to systems and components which do not require an off-site power supply or which, in consequence of a loss of power supply, will settle in a state preferable from the safety point of view.

Systems which perform the most important safety functions shall be able to carry out their functions even though an individual component in any system would fail to operate and, additionally, any component affecting the safety function would be out of operation simultaneously due to repairs or maintenance (redundancy principle).

Safety systems which back up each other as well as parallel parts of safety systems shall be separated from each other so that their failure due to an external common cause failure is unlikely (separation

principle).

In ensuring the most important safety functions, systems based on diverse principles of operation shall be used to the extent possible (diversity principle).

Detailed requirements for the application of failure criteria and the diversity principle can be found in Guide YVL 2.7.

And excerpt from YVL 2.8 (Probabilistic safety analyses (PSA), 20 Dec. 1996)

According to the Nuclear Energy Decree, section 36, the applicant for a licence has to submit the PSA to the Finnish Centre for Radiation and Nuclear Safety (STUK) while applying for an operating licence. According to the Council of State Decision (395/91), second paragraph, section 6, nuclear

power plant safety and the design of its safety systems shall be substantiated by accident analyses and probabilistic safety analyses. Analyses shall be maintained and revised if necessary, taking into account operating experience, the results of experimental research and the advancement in calculating methods

Activities discussed during the STUK visit as being part of the defence against CCF are:

1. The requirement for in-house PSA analysis (since 1984). There is a practice to send the latest PSA model to STUK twice a year.

2. Operating experience is collected and reported.

3. Use of PSA to identify design errors. This has resulted in changes. 4. PSA reviews. Weak design points have been identified by these reviews. 5. Requirement for Living PSA.

6. Low threshold for reporting (judgement by STUK). 7. Inspections.

8. Replacement principles are important to identify and defend against ageing problems. A special potential CCF event concerning TVO isolation valves led to exchange from Bakelite gears to brass gears, and discussion about

(19)

NAFCS

9

9. Compilation of the report “Human based Common Cause Failures in Finnish plants”. The report presents 10-15 events during the last 10-15 years. Many events are related to distraction during work, e g due to delays.

10. The production of two recent reports (excerpts from draft versions received during the visit) in a EU project on the Harmonisation in the field of safety of nuclear installations, Survey of PSA from both TVO and IVO “R Virolainen, “Major Risk Informed Plant and Procedural Changes at Loviisa 1 and 2” [7], STUK 15/6 2000. and R Virolainen et al, “Use of Living PSA in Regulatory Decision-Making” [8].

3.1.2 SKI:

SKI has one main document SKIFS 1998:1 [9] with requirements on nuclear power plant safety analysis and reporting. The following is an excerpt from SKIFS 1998:1.

1 § Grundläggande säkerhetsbestämmelser finns i 4 § första stycket lagen (1984:3) om kärnteknisk

verksamhet. Förebyggandet av radiologiska olyckor skall ske med hjälp av dels en till varje anläggning anpassad grundkonstruktion i vilken skall ingå flerfaldiga barriärer, dels ett till varje anläggning anpassat djupförsvar. Djupförsvaret skall uppnås genom att

– konstruktionen, uppförandet, driften, övervakningen och underhållet av en anläggning är sådana att driftstörningar och haverier förebyggs,

– det finns flerfaldiga anordningar och förberedda åtgärder som skall skydda barriärerna mot genombrott, och om ett sådant genombrott skulle ske, begränsa konsekvenserna därav, – – utsläpp av radioaktiva ämnen, som ändå kan ske till följd av driftstörningar och haverier,

förhindras eller, om detta inte är möjligt, kontrolleras och begränsas genom anordningar och förberedda åtgärder.

1 § requires defence in depth to be achieved by design, construction, operation,

inspection and maintenance.

SKIFS 1998:1, chapter 4 presents requirements on performing safety analysis:

Säkerhetsanalys

1 § Analyser av förhållanden som har betydelse för säkerheten i en anläggning skall göras innan

anläggningen uppförs och tas i drift. Analyserna skall därefter hållas aktuella. Säkerhetsanalyserna skall vara grundade på en systematisk inventering av sådana händelser, händelseförlopp och förhållanden vilka kan leda till en radiologisk olycka.

The advice section to the above paragraph states that a safety analysis should cover, as far as possible, scenarios and circumstances, potentially affecting the defence in depth defence.

(20)

NAFCS

För att analysera en anläggnings funktionsförmåga från säkerhetssynpunkt behövs en god kunskap om anläggningens konstruktion, möjliga felmekanismer och om de processer och förlopp som kan äga rum. Till detta kommer behovet av modeller som beskriver de processer, förlopp och felmekanismer som bör analyseras. Både deterministiska och probabilistiska analyser bör användas eftersom de kompletterar varandra och på så sätt ger en så allsidig bild som möjligt av risk och säkerhet. En säkerhetsanalys bör omfatta en uppsättning händelser eller scenarier som så långt det är möjligt täcker in de händelseförlopp och förhållanden som kan påverka djupförsvarets funktion och därmed ytterst leda till en påverkan på omgivningen. Med utgångspunkter från en analys av sannolikheten för olika händelser eller scenarier bör de indelas i olika kategorier.

R2000 (document still in development) contain explanations and guidance on how to interpret and apply SKIFS 1998:1. R2000 draft (2001) [10] states:

“Diversifiering

Vid konstruktion, tillverkning, installation, idrifttagning, drift och underhåll av utrustning av betydelse för säkerheten bör, utifrån det säkerhetsmässiga behovet, rimliga åtgärder vidtas för att minimera införande och förhindra uppkomst av fel med gemensam orsak (CCF).

Diversifiering bör dels utformas så att identifierade möjligheter till CCF mellan redundanta utrustningar förebyggs, dels så att sannolikheten för oförutsedda CCF minskas så långt som är rimligt och möjligt. För att uppnå diversifiering av funktionen kan, utöver säkerhetssystemen, även övrig utrustning som är klassad som utrustning av betydelse för säkerheten tillgodoräknas. Diversifiering bör som minimum tillämpas till och med ej förväntade händelser och för säkerhetsfunktionerna reaktoravställning, härdkylning, resteffektkylning och tryckavsäkring.

Diversifiering och dess avsedda effekt på CCF bör i säkerhetsredovisningen beskrivas för varje säkerhetsfunktion med dess stödfunktioner.

Reaktorskyddssystemet bör vara konstruerat så att det för alla händelser till och med osannolik händelse finns minst två olika sätt att via

processparametrar detektera händelsen, identifiera behov och initiera skyddsåtgärder. Ett exempel på detta är att vid yttre rörbrott i

kokvattenreaktorer kan skyddsåtgärder initieras både via

rumsövervakningssystemet och via låg vattennivå i reaktortanken. De olika sätten att detektera en händelse bör vara funktionellt separerade.”

This mean that diversity shall be applied as afar as reasonable possible in order to minimise introduction of CCF (translated from Swedish).

The following activities are also seen by SKI as important contributors to a good defence against CCF:

1. SKI requirements on MTO activities and feedback of experience.

2. Certain inspection- and maintenance principles that are generally adopted, e g no maintenance of two redundant subs at the same time. Tech. Spec´s. requires that other redundancies are tested in case failure is identified for one

redundancy.

3. The requirement to perform a PSA and to consider the results (according to SKIFS 1998:1).

(21)

NAFCS

11

5. Requirements for two stage safety review (An internal SKI document control the safety review)

6. Different disciplines at SKI co-operates in inspection and review activities, leading to a high efficiency in identification of any missing dependency barriers is achieved.

7. Requirement for SAR including single failure criteria. A group is formed for re-assessing the SAR content.

8. Regular reporting, e g yearly and 10-year reporting (ASAR) with defined content, and RO reported immediately and checked by SKI.

9. Inspection activities used for follow-up of plant safety issues together with review of reporting from the plants

Some areas with potential for strengthening the CCF defence were also discussed: 1. Increase awareness about common cause failure issue and defence by

introduction of specific CCF education. 2. Improve reporting of near misses.

It is the opinion of SKI (meeting participants) that programmable systems are a challenge with regard to CCF. This is supported by the event at Ringhals during summer 2001 when a software update for a breaker was introduced simultaneously in more than 40 breakers. The CCF potential was identified in the project. The test was designed to make sure the breaker opened in case of overcurrent (more than 120%). However, the breaker opened already at 80%, making the attached components unavailable also during normal conditions. Normal operation was not tested. The event show the importance of test design, and to include also normal operation in a test.

SKI has assigned personnel responsible for this specific area, which follows the development, and in summer 2001, one activity is the follow-up of Ringhals REPAC project concerning change of control system from an analogue to a digital system. One of the important aspects in this project is to consider CCF protection in the planning.

3.2 Observations and Discussion of Regulatory involvement in CCF defence

This limited investigation has identified the following similarities and differences: Both SKI and STUK requires certain safety principles to be applied to assure defence in depth and maximum reasonable CCF protection. The organisations have an

exchange of ideas and the basic CCF defence as imposed by regulations and advice are similar.

STUK have many regulatory guides (YVL) for different areas. The number of guides is 70 (2001), including radiation guides. Radiation guides are in Sweden covered by SSI (the radiation protection Institute).

Swedish requirements are less detailed than the corresponding set of STUK requirements.

(22)

NAFCS

It is not possible to judge the preferred approach with organisation of requirements and way of regulation with regard to CCF.

A general observation is that key words like dependency, defence in depth,

redundancy and diversity are missing in most headings in the regulatory documents, both Swedish and Finnish.

One question related to this fact is if CCF and dependent failure defence awareness and thus CCF defence itself can be improved by the introduction of more clear requirements on CCF, by changes in current guides or a separate guide with

requirements on CCF defences including reporting, routines, analysis of events, and education.

3.3 Plant Aspects

The survey collected many aspects on defence against dependent failures and especially common cause failures. This section summarises these aspects as a whole without differentiating between different plants/organisations).

The following phases are important parts of the life of equipment/systems at a nuclear power plant:

• Design

• Implementation • Operation

• Test and maintenance

The defence against dependencies during design, implementation and test and maintenance is discussed below. Operation is not discussed separately. However, failure reporting, the plant information system and feedback of experience are other very important part of the defence and they are also discussed below.

3.3.1 Design

Redundancy is required to meet the single failure criteria and redundancy is implemented on function and system level.

The basic protection against dependent failures in redundancies is the use of separation, where separation is used in three principal ways:

• Functional separation • Spatial separation

• Diversity (different design principles for different redundant systems or functions and different software for the same purpose)

There are also other types of separation that can be used, like separation in organisation.

The need for functional separation is quite obvious, two redundant trains dependent on the same power bus mean that failure of the power bus will fail both trains. Never the less, it can be difficult to prove that functional separation exists. Methods used to do this include:

(23)

NAFCS

13

1. Design process with requirements on dependency assessment for dependencies within a change project and impact on current design.

2. Use of PSA(detailed modelling of build-up and functional interaction of safety systems and support systems).

3. Use of simulator for testing

The design process itself is secured by having adequate project management

instructions where dependency evaluation is explicitly required. Using different teams and methods to develop diverse designs can also help to secure redundancies.

Another example is to have this requirement in the standard contract template. The design process also includes requirements on internal review and preliminary safety review (PSG). All these are administrative barriers to identify and remove weaknesses in the process. Finally, authorities will review the process.

Separation cost money, and especially diversity in design and spatial separation can be resource consuming. The validation and verification cost can be substantial.

Therefore, there will in the final design be many similar components that are placed in the same location. Separation by distance is used instead of closed compartments.

3.3.2 Implementation

Time separation by the use of stepwise implementation is a method to discover and correct design weaknesses before they can affect redundancies. Stepwise

implementation will also help in identifying ageing effects. Full effectiveness of time separation is achieved if the plant information system contains enough detailed information on change time points, as well as time points for tests and maintenance activities.

Important aspects with regard to stepwise implementation are: • Stepwise implementation is not always possible • How long should the step be?

• How is CCF to be detected between steps?

• What are the requirements on systematic evaluation of experiences?

An effective failure reporting system and high quality in safety culture is also needed to allow credit for time separation in dependency protection.

3.3.3 Maintenance and Testing

Time separation in maintenance and testing will lead to an increased probability to detect potential common cause failures before they happen. This is a common approach.

Separation of staff may decrease the probability of dependent failures, but also has a potential to increase the independent failure rate because of less training of the staff on each activity.

Other defences related to maintenance and testing include:

Test of redundant trains in case one train is failed, with or without judgement on potential CCF.

(24)

NAFCS

Checking of calibration and tool settings before use, after use, regular intervals.

Work on one sub at a time

Limited access to redundant trains, only part of redundancies. Realised e g by use of key system. Work order for one redundancy first, then finish and go for next work order.

Key locking of valve positions. DKV (operational readiness control)

Monitoring of equipment depending on its importance, individual component, no follow-up or batch follow-up.

Maintenance activities divided in four groups: 1 STF related (safety)

2 Operation (money)

3 Important but not necessary

4 Less important ( are allowed to fail)

Group 1 are repaired according to STF. Group 4 has no repair priority, the work is done when time is available.

There are also some other practices in the use of procedures:

1. Page numbering and checking of that all pages are included in a copy.

2. Extra verification and signing of the state of manual valves that have changed position during testing and maintenance activities.

3. Regular review of procedures e g every four year.

3.3.4 Failure Reporting

Failure reporting practices are in principal as follows:

Failure report is made and judgement is made if it is a potential dependency or not. Judgement is verified in steps.

It is observed that a special check mark shall be made on the form only if CCF is suspected. This mean that there will be no evidence that the judgement/decision on CCF is made, if the check mark is missing. It is proposed to change the form either to check mark if no CCF is suspected, or to have two choices: CCF and no CCF.

Important for reporting is to have a low treshold for reporting, where also near misses shall be reported.

3.3.5 Plant Information system

A plant information system4 is essential in the defence against dependencies. The plant information system need to have information on all factors of importance for plant safety on an enough level of detail to allow follow-up on failure of critical parts of components whose failure will be critical for the component in consideration.

4_{The plant information system refer to all databases carrying information on the plants systems,}

structures and components such as component types, history, test intervals, real test times, location of components, work orders etc.

(25)

NAFCS

15

Again, the focus shall be on the risk important components. Less risk important can be given less attention, and resources can be focussed on the high contributors. This kind of grouping can be used in maintenance, testing and plant information system.

3.3.6 Exchange of Experience

Exchange of experience in addition to failure reporting is made in many different ways. Examples of practices in place are:

• The plants have special persons assigned as component and system responsible.

• It is required to produce yearly a written report on performance of components and systems according to a separate instruction and templates.

• Internal meetings are held for exchange of experience.

• External meetings are held for exchange of experience between systems and component responsible from different plants.

• Participation in owners group (meetings and information exchange). • Participation in other groups meeting and work as ERFATOM, INPO and

WANO.

3.4 Most Important Contributors and Defences

Questions concerning the judgement on dominating dependency contributors and best defences were asked during the meetings. The following answers were noted without priority:

Table 2: Opinion on Dominating Contributors to CCF.

Money savings resulting in a slim organisation and movement from preventive to corrective maintenance

Staff turnover (has an impact on knowledge and experience). Ageing

Human factors- planning errors and organisational factors Design (Changes, ageing)

Table 3: Opinion on Important Defences Against Dependencies.

Awareness (increased) Simple solutions

Knowledge and experience Good safety culture

(26)

NAFCS

Table 3: Opinion on Important Defences Against Dependencies.

Effective feedback of experience. Review in several steps.

Tests, use of information system

4 Conclusions

The basic mechanism to avoid failure of redundant equipment due to a common cause is to use separation. Separation can be introduced in many ways. The most important types of separation used are:

• Functional separation • Spatial separation

• Design separation (diversity) • Time separation

Functional, spatial and design separation are mainly technical defences.

Different types of time separation are administrative defences. Time separation by stepwise introduction of new equipment, staggered testing etc. need to be combined with efficient systems for testing, failure reporting and plant information. The plant information system needs to have enough level of detail that common parts can be traced. Efficient reporting is dependent on skilled and motivated personnel supported by good procedures.

A collection of defences collected during the plant visits are presented in Table 4. Even if defences are applied, there will always be a risk that something is overlooked. It is not possible to create total separation in all aspects between redundant equipment. There is also a money issue involved in CCF defence. Introduction of diverse

equipment requires extra equipment qualification with related costs. This mean that diverse equipment will be very expensive. Same equipment introduced stepwise saves money, but it is important with quality control and exchange of experience and take advantage of stepwise introduction and other types of time separation. To be able to do this it is necessary with a detailed follow-up and reporting. It has to be noted that stepwise implementation not always is possible and also may cost extra compared to introduction in all redundancies at the same time.

Depending on the level of detail, there might be dependencies on a level below pump and valve, e g use of same oil for lubrication, or some small common parts. To prove diversity may therefore also be difficult. Who is delivering the small parts used by all suppliers/designers?

An important part of the defence is a high level of awareness about the dependency and CCF issue. The work within the NAFCS group contributes to an increased awareness. The plant visits indicate differences in the level of awareness of the CCF issue. The discussions have been good and there seem to be an interest for a continued communication in this area.

(27)

NAFCS

17

One idea is to produce education material based on the information collected during the plant visits and from the ICDE database, and complemented with other material. The continued work may also involve a comparison between different actors. Such a comparison can be seen in relation to differences in reported CCF events, reported failures, reported availability etc. Is it possible to see any differences in the fractions of common cause failures in different countries, plants, owners? The same question can also be asked concerning the independent failure rates and plant availability. Is high availability a factor that can be given credit when assessing common cause parameters?

Table 4: Dependency Defence Factors Noted during Survey Meetings

Design

Instruction for introducing changes: 1) Proposal

2) Meeting every month (operation, safety, maintenance) 3) Indicate need for PSA analysis

4) Change/modification proposal with PSA plan. Contract with supplier requires that CCF is considered.

Require consideration of dependence impact in contracts with suppliers

Require PSA (mainly for evaluation of functional and spatial dependencies, but also for checking of other types of common characteristics)

Include CCF requirements in Project management model. Validate procedures in simulator

Defence in depth in design by combination of Independent review and primary safety review (PSG) Functional separation

Spatial separation Diversity in design

Review system functions by using simulators to identify dependent failure risk Single failure analysis.

Fire PSA to identify spatial separation deficiencies Use PSA for subtle interaction checking

Choose components with high quality and lot of experience.

Requirement on dependencies, failure rates and CCF rate in purchasing. It is required to show that the requirements are met.

Requirements on FMEA, FTA and HRA in purchasing. Consideration of ageing in case of purchasing. Test of new design in simulator before installation.

Several meetings to present a modification: technical meeting and plant meeting. Equipment qualification

Use PSA for CCI analysis Use simulator for CCI analysis

(28)

NAFCS

Feedback of experience

Reporting of LERs Participation in ICDE Participation in NAFCS Risk follow-up activities

Meetings with different plants system responsible Meetings with different plants component responsible ERFATOM

System responsible

Component responsible prepares yearly report that shall take a position concerning CCF. Procedure for work by system/component responsible.

Group SAMDOK with TVO, FKG, OKG and BKAB (before also RAB).

The group exchanges technical planning information. Meeting report is distributed. NOG – Nuclear Owners Group

Implementation

Test after installation.

Stepwise introduction of new equipment (to achieve experience before full introduction) Stepwise introduction of new equipment Different age of different redundancies

Operation

Have CCF on the agenda for shift meetings (other meetings) Have as a policy to use instructions

Make sure to have page numbering of procedures and instructions Check of page numbering of copies

Competent personnel.

Weekly (friday) meetings to inform personnel about changes (shift supervisors). Limited access to redundancies (administrative)

Limited access to redundancies (by different keys for accessing AC and BD subs respectively. Awareness of CCF

Safety culture

Crosslists (krysslistor) for new instructions (each operator shall acknowledge a new instruction) Safety Committee

(29)

NAFCS

19

Reporting

Check for possible dependency impact in case of failure

Check marking on failure reporting form to make check of dependency potential traceable.

Next step is primary review meeting + new evaluation of affected components and mitigating actions. Reporting of instances of miscalibrated equipment

Reporting of instances of miscalibrated tools (e g calibration instruments and torque keys) Low reporting threshold

PSA investigation for deviation from STF.

Perform root cause analysis after LER and report lessons learned.

Morning meeting with review of failure reports and check for CCF and systematic failures Follow-up on reported CCF failure report cases

Extra monitoring of especially important components, e g control rod drives, according to a special instruction. Trend analysis on components and systems to identify ageing effects

(30)

NAFCS

Test and maintenance

All maintenance activities should be recorded in the work order system. Time separation between tests

Time separation between maintenance

One redundancy is tested while the other is kept available One redundancy is maintained while the other is kept available Judgement if other redundancies can be affected by test.

Judgement if other redundancies can be affected by maintenance activity

Exchange practices to make sure that a state of different ages for different redundant equipment is maintained Different testing times (operation of diesel 1 only short time period and diesel 2 longer time, and next time shift) Independent analysis of quality of delivered oil to diesels.

Test of redundant equipment in case of unavailable component (independent if CCF or not?) Driftklarhetsverifiering (DKV)

Staggered testing

Staff separation in test and maintenance

Not necessarily good defence. Observe the risk for too little training if test occasions are few. The risk of too little training has to be related to the risk of trained personnel making the same mistake in several redundant trains. Check of calibration instrument before calibration

Check of calibration instrument after calibration Regular calibration checking

Marking of calibrated equipment

Bicycle used for maintenance optimisation. Motivate Maintenance intervals changes

Logging of maintenance/test interval changes in the plant information system.

Provide information on possible dependency/CCF risks on work permits. Judgement by skiftingenjör and approval by driftledning (morgonbön).

Several persons involved in activity, e g electrical permission: one writes and another reviews and approves. Have an extra operator to verify the position of manual valves that have changed position during the test. Model work (mockups).

Other

Existence and use of SKIFS 1998:1

Existence and use of applicable IAEA guidelines

Existence and use of 10CFR50, and especially appendix J concerning test and maintenance in support for dependency protection.

CCF policy?

Guides with dependency defence principles Education/safety culture for shift ingenieurs.

Encourage personnel to propose improvements of any kind. Have CCF check in check lists

(31)

NAFCS

21

5 References

1. Gunnar Johansson, NORDISK ARBETSGRUPP FÖR CCF STUDIER: PROJECT PROGRAMMME, ES-konsult, 2000-12-19.

2. A.J. Bourne G.T. Edwards D.M.Hunns, D.R.Poulter I.A.Watson, ” Defences against Common mode failures in redundancy systems, A guide for

management, designers and operators”, SRD R 196, SRD, January 1981. 3. YVL 1.0, Safety criteria for design of nuclear power plants, 12 Jan 1996. 4. YVL 1.5, Reporting nuclear power plant operation to the Finnish Centre for

radiation and Nuclear Safety, 1 Jan 1995.

5. YVL 2.7, Ensuring a Nuclear Power plant´s safety functions in provision for failures, 20 May7 1996.

6. YVL 2.8, Probabilistic Safety Analyses (PSA), 20 Dec 1996.

7. “R Virolainen, “Major Risk Informed Plant and Procedural Changes at Loviisa 1 and 2”, STUK 15/6 2000.

8. R Virolainen et al, “Use of Living PSA in Regulatory Decision-Making”. 9. SKIFS 1998:1, Statens kärnkraftinspektions föreskrifter om säkerhet i vissa

kärntekniska anläggningar, 22 september 1998. 10. R2000, draft 2001.

(32)

NAFCS

Appendix A: Questionnaire and items for discussion for Plant Survey

Meetings

1 Introduction

The Questions are intended to support the discussion. Some background and example defences and indicators are listed after the questions.

2 Questions

Describe, exemplify and/or give references to plant document.

1. Exist a CCF-problem policy, education or/and information programme. Which plant staff is included in the programme. Describe and exemplify

2. How is system reliability demands and CCF problem expressed by the design phase of plant modifications for example:

a. Identification b. Minimised c. Defences d. Review e. Guides

2. Example of the plant policy, for operation, test and maintenance activities, to prevent CCFs by a. Faulty procedures

b. Human errors c. Design errors

3. Is there a check list or procedure to identify potential CCF from a single failure? After a potential CCF is detected rules of action? Is there a special records for failures, potential CCF and CCFs and actions taken to prevent reoccurrence.

4. Basic engineering principles used in plant design and plant modification guidelines or other recommendations used?

5. Strategy for repair of degraded safety important equipment in time pressure (STF repair criteria) and with a thorough fault analysis not yet available?

6. How is the test mix of a system optimised within the desired safety level?

7. Which (method, tool) is used optimise safety and resources of preventive maintenance actions to minimise downtime and costs?

8. Is there a potential in developing STF towards online maintenance? ( To optimise the amount and more flexible planned maintenance during operation)

(33)

NAFCS

23 10. Action taken by a pump failure?

11. Action taken when a DG fails? Shorter questions more yes / no

1. Is system functions reviewed to identify CCF risks ?

2. After a identified CCF or potential CCF is possible defences analysed? 3. Is the risk of possible CCF events notified on work permits?

4. Is procedures reviewed of potential CCFs

5. Original design principles and modification principles includes: a. Diversity

b. Fail safe design c. Separation d. Derating e. Simplicity 6. Is separation in time used by:

a. Construction b. Test

c. Maintenance 7. Is separation of staff used in

a. Construction b. Test

c. Maintenance

8. Which is last actions in a maintenance procedure? 9. Is the maintenance equipment verified before use? 10. Is all maintenance activities recorded?

11. Is test procedures aimed to reveal any CCF in redundancy systems? 12. Is test procedures checked to not introduce CCFs?

13. Is operational access limited to any system?

(34)

NAFCS

3 Background

Difference of consequence • Single failure

• Common cause failure

The plants are designed for single failure “single failure criteria” to handle a single failure.

To achieve desired system reliability and single failure the design includes redundancy and diversity.

The plant reacts to single failure management/operator/maintenance have to act to handle CCF. For single failure T-book data can be used directly in PSA. The data is a direct measurement of plant equipment performance.

For CCF parameters for PSA is dependent on human performance to a higher degree compared to single failure parameters.

4 Example Defense

1. Separation • Physical • Design • Construction • Maintenance • Time 2. Management • Knowledge • Actions • Monitoring 3. Procedures • Maintenance • Test • Operation

5 Indicators

Time and means of detection can be used as an indicator of plant CCF awareness. In the ICDE database the detection codes can be graded from god CCF response to less god

1. God response • Test during operation • Monitoring in control room • Monitoring on walkdown • Unscheduled test (second failure)

2. Acceptable response • Test in laboratory

• Test during annual overhaul • Maintenance / test

• Unscheduled test (first failure) 3. Bad response

(35)

NAFCS

25

Time interval between first and second failure can be used as a second indicator and the operators’ identification of a failure as a potential CCF event. Immediate test of other equipment in a CFF group is good response. If the second and further failures are detected at normal operation, tests or

maintenance with a time span giving the possibility to analyse an act after the first failure in the CCF group, indicate as less god response to CCF events.

6 Some General Questions

1. What protection against dependencies is built into the design? 2. What protection against dependencies is used in operation? 3. What protection against dependencies is used in maintenance?

4. How is experience concerning dependent failures collected, analysed and used as feedback?

5. Has failure experience led to changes in dependent failure defence.

6. Has PSA or other types of analyses identified deficiencies in dependent failure protection?

7. If yes, have changes been introduced?

8. Has the PSA been used to actively check for subtle interactions? 9. What IAEA guidelines, if any are used in dependent failure protection? 10. What SKI guidelines have been or are used regarding dependent failure

protection?

11. What NRC guidelines have been or are used regarding dependent failure protection?

12. What other guidelines have been or are used regarding dependent failure protection?

13. How is the single failure criteria applied?

14. Which lacks of defence have been identified at the plant during the years? 15. What is your opinion on the most important improvement areas with regard to

dependency defences?

(36)

NAFCS

Appendix B: Agenda for Plant Survey Visits

Meeting opening

Presentation of meeting participants

Presentation of NAFCS work plan – Objectives, scope, tasks, time schedule Presentation of ”Plant Survey” planning and list of questions/statements for discussion.

Planning of day for individual discussions with plant representatives from different departments.

Discussions in full group individually following list of questions. Summing up the day in the whole group.

(37)

NAFCS

Nordisk Arbetsgrupp för CCF studier Work Notes to NAFCS-PR05

1

Title: PR05 Work Notes- Survey Meeting Notes (Appendix C-H to report NAFCS PR05)

Author(s): Per Hellström, RELCON AB

Issued By: Per Hellström, RELCON AB

Reviewed By: N/A Approved By: N/A

Abstract: These work notes are the meeting notes from the visits to plants and authorities performed as part of the plant and regulatory survey on defences against dependent failures.

The meeting notes are part of the NAFCS report PR05, but are not published.

Doc.ref: Project reports

Distribution WG, Project WebSite, Project archive

Confidentiality

control: Restricted

Revision control: Version Date Initial

Final U1 2003-08-31 PH

List of Content

Appendix C Notes from STUK Visit Appendix D Notes from SKI Visit Appendix E Notes from OKG Visit Appendix F Notes from BKAB Visit Appendix G Notes from TVO Visit Appendix H Notes from Forsmark Visit

(38)

NAFCS

Appendix C: Notes from STUK Visit

STUK 2001-11-21 (2 hours,

whole group together) Reino Virolainen, Ilkka Niemelä Policies

State Council Decision requires systems to be safe with good redundancy, separation and diversity.

Requirement for in-house PSA since 1984. Guiding Documents

Several Regulatory guides (YVL series) indicate requirements related to CCF defence. Examples are:

YVL Title Date of current version

1.0 Safety criteria for design of nuclear power plants

12 Jan 1996 1.5 Reporting nuclear power plant operation to the

Finnish Centre for radiation and Nuclear Safety

1 Jan 1995 2.7 Ensuring a Nuclear Power plant´s safety

functions in provision for failures

20 May7 1996 2.8 Probabilistic Safety Analyses (PSA) 20 Dec 1996 It is required to have data collection and data processing systems (1.5). It is required to have statistical trend analyses (1.5).

One should be able to identify CCF events. Training in CCF identification is performed. Routines

3-step inspection system:

A Management inspection on top level and less detailed

B Process inspection: Purpose is to inspect different work processes dependent with each other, e g maintenance and connected processes. This level usede for review of modernisation projects.

C Detailed inspection on function and system level. Until 2-3 years ago (1998) this was the only inspection type. PSA is at this level.

Reporting

Operating experience is collected and reported.

PSA is used to identify design errors and has resulted in backfitting. PSA reviews has identified weak points.

(39)

NAFCS

3

Practice to send the latest PSA model to STUK twice a year. Living PSA required.

The treshold for reporting is judged as low (Virolainen). This mean that it is felt likely that CCF events really are reported.

A report “Human based Common Cause Failures in Finnish plants” presents 10-15 events during the last 10-15 years. Many events are related to distraction during work, e g due to delays.

Testing efficiency in identifying CCF too low. Measures taken

Received during meeting:

Draft of reports from EU project on the Harmonisation in the field of safety of nuclear installations, Survey of PSA from both TVO and IVO.

R Virolainen, “Major Risk Informed Plant and Procedural Changes at Loviisa 1 and 2”, STUK 15/6 2000.

R Virolainen et al, “Use of Living PSA in Regulatory Decision-Making”.

Special potential CCF event: TVO isolation valves. Led to exchange from bakelite gears to brass gears. Replacement principles are important to identify ageing problems.